The historic decision of the Court of Justice of the European Union (Court) in
Schrems II of 16 July 2020 has profound consequences on international data transfers.
With the decision, the Court declared the EU-US Privacy Shield invalid with immediate effect. Furthermore, it confirmed the validity of Standard Contractual Clauses (SCCs), but effectively limiting the situations where the SCCs still can be relied on and emphasising the (additional) obligations for using them. The decision affects data transfers to the US and (indirectly) to other countries outside the European Economic Area (EEA). It even indirectly affects all data transfer instruments other than the EU-US Privacy Shield and SCCs (controller/processor), like SCCs (controller/controller) and Binding Corporate Rules. As a result of this landmark decision, organisations will have to take quick pro-active actions. The relevance, key aspects of the decision, and necessary next steps are explained below.
1. Why is this decision relevant for my organisation?
- The decision's effective impact is broad: The decision sees to data transfers to the US based on the EU-US Privacy Shield or SCCs, specifically to providers falling under the US Foreign Intelligence Surveillance Act (FISA) 702 and/or Executive Order (EO) 12.333, which include cloud providers such as Amazon and Microsoft. However, the Court's views on the level of data protection provided under US law and requirements for data transfers under these conditions are of general nature, so the effect of the decision is much broader and it also has more impact than its predecessor Schrems I, which invalidated the Safe Harbor instrument in 2015. Schrems II provides that the destination third country should have a level of protection essentially equivalent under EU law (specifically also the General Data Protection Regulation; GDPR) and the requirements that need to be met for lawful transfers of personal data to third countries. Therefore, the decision impacts also other data transfers instruments and transfers to other third countries than not only the US, regardless of its focus on the validity of the EU-US Privacy Shield and the SCCs (controller/processor) for transfers to the US.
- Almost all organisations transfer personal data to third countries: although you may not always be aware of it, your organisation likely transfers directly or indirectly (via a subprocessors) personal data to a third country that is not deemed to provide an adequate level of data protection. Please see here a list of adequacy decisions of the EU, except for the invalidated EU-US Privacy Shield. Such transfer can be based on one of the three currently available SCCs, the now invalidated EU-US Privacy Shield, or other data transfer instrument, such as Binding Corporate Rules (BCR), as many organisations do. Such international transfer of personal data to a third country may be the result of, for example:
- Outsourcing to service providers in third countries, such as the US: organisations usually obtain IT-services from service providers. These services normally involve the processing of personal data. There will likely be a relevant transfer of personal data which needs to be validated upon a legitimate transfer instrument, if you obtain services directly from a service provider located in a third country (which has not obtained an adequacy decision).
- Outsourcing to service providers in the EEA: often organisations contract with a service provider located in the EEA. However, these EEA-based service providers usually subcontract their services for cost reasons or to be able to provide 24/7 services, such as the provision of cloud infrastructure or support, to service providers located in third countries or are part of a group with (head) offices and servers located in third countries. It should also be noted that foreign surveillance programs can have extraterritorial effects, such as the US FISA 702, EO 12.333, and Cloud Act allowing US law enforcement to reach certain data located in other countries. Thus, even if the personal data are on a server in the EEA, there may be a relevant international data transfer.
- Intra-group transfers: multinationals may have branch offices, subsidiaries, or even their head offices, located in third countries. Personal data of employees, customers, and other data subjects are usually shared and transferred between these establishments, resulting in transfers to third countries from an EEA perspective.
2. Wat are the key elements of the decision?
- SCC still valid, but require checks and additional measures (prior due diligence and constant monitoring is required): SCCs remain valid for transferring personal data from the EEA to third countries, but only in accordance with prior verification, and constant monitoring which may lead to (emergency) suspension and termination obligations under the SCC if the third country does not provide a level of data protection (anymore) essentially equivalent to that guaranteed under the GDPR. Using SCCs will, therefore, require additional measures and upkeep, as the Court specifically emphasised that:
- Organisations' duty to verify level of data protection: the organisation transferring personal data to a third country is required to verify – prior to any transfer – that the level of data protection required under EU law is respected in the third country concerned. This level of protection should also be monitored once the SCC have been concluded.
- Supervisory authorities must act (stop or suspend transfers): supervisory authorities have a duty to act on a case-by-case basis and take appropriate actions, including suspending or prohibiting the data transfer, if it concludes that there is no adequate level of protection in the third country where the personal data are transferred to and the data exporter and importer have not implemented sufficient additional safeguards.
- EU-US Privacy Shield declared invalid: the EU-US Privacy Shield has been declared invalid and can no longer be used for transferring personal data to the US. This is based on the view of the Court that US surveillance programs do not contain clear limitations and safeguards essentially equivalent to those required under EU law. The Court specifically found that the US surveillance programs do not indicate any limitations on the surveillance powers or the existence of guarantees for potentially targeted non-US persons. Moreover, US law does not grant data subjects actionable rights before the courts against the US authorities. The Ombudsperson created under the EU-US Privacy Shield does not qualify as such judicial protection, in view of its lack of independence and power to take binding decisions.
3. Will supervisory authorities immediately take actions based on this decision of the Court?
- Immediate effect/no grace period: the Court‘s decision has immediate effect, thus there is no grace period. See also the FAQ of the EDPB.
- More detailed guidance by EDPB and local supervisory authorities expected: there have been initial statements by the European Data Protection Board, national supervisory authorities (see for an overview here and see for example the Berlin supervisory authority and the FAQ of German regional supervisory authority of Rhineland-Palatinate, as well as from other organisations, such as the European Commission (indicating, amongst other things, the swift finalisation of modernised SCCs) and US Department of Commerce (indicating that the decision of the Court does not relieve participants from their obligation under the EU-US Privacy Shield). The FAQ of the US Department of Commerce have emphasized this as well (see here). The European Data Protection Board has emphasised the importance of ensuring consistency and will provide clarifications and guidance of the use of data transfer instruments.
- Duty to act: after the invalidation of Safe Harbor (the predecessor of the EU-US Privacy Shield) by the Court in its Schrems I decision in 2015, national supervisory authorities provided a transition period for organisations to transition their data transfers to a valid data transfer instrument. It remains to be seen whether there will be such transition period again, as the Court emphasised in its decision that supervisory authorities have a duty to act. Especially if there are complaints by data subjects, organisations should assume that the competent supervisory authority will investigate and take action, such as ordering the data transfer to be suspended or stopped and imposing substantial sanctions.
4. What steps should my organisation take now?
As the steps below will likely require substantial resources and time, it may be recommendable to take a risk-based approach, and assess and start with the most business critical, important or otherwise risky transfers of personal data from the EEA to third countries. In any case, we recommend taking the steps below. In this respect, it is good to keep in mind that it should not be a "paper exercise" only. All steps should be performed with due care and assessing all the obligations and risks involved, bearing in mind the accountability obligation of your organisation.
1. Identify international data transfers: map all (onward) transfers of personal data from the EEA to third countries, including access from such third countries to personal data in the EEA. You should also check transfers to subcontractors and other onward transfers. Your organisation’s internal register of processing activities, as required under article 30 GDPR, is a good starting point for this.
2. Check upon which data transfer instrument these data transfers rely: check on the basis of the relevant contracts and other documentation which data transfer instrument is being relied on to transfer personal data from the EEA to the destination third countries. This can be (a combination of), for example, the now invalidated EU-US Privacy Shield (for the US), SCCs (controller-processor or controller-controller version), BCR, adequacy decision of the European Commission (other than the Privacy Shield), or one of the derogations under article 49 GDPR (such as explicit consent of the data subject or transfers necessary for the performance of a contract with or in the interest of the data subject).
3. If it concerns a transfer to the US under the EU-US Privacy Shield:
a. Verify whether the transfer falls within the scope of the EU-US Privacy Shield registration of the US recipient and that only the EU-US Privacy Shield is used as data transfer instrument. The current registrations are still available here. It is important to note that the FAQ of the US Department of Commerce have clarified that the requirements for re-certification and applicable costs remain valid if an organisation continues to be registered under Privacy Shield.
b. Check whether the transfer is still necessary or can (cost effectively) be switched to an EEA-based provider.
c. If not, check whether the data transfer can be based on one of the derogations under article 49 GDPR. Please note that the European Data Protection Board has indicated in its guidance that these derogations may only be used in limited necessary cases for occasional and not repetitive transfers. Any (intra-group) outsourcing of processings do not qualify as such necessary transfers. This means that it will mostly not be possible to rely on these derogations. If your organisation still relies or intends to rely on one of these derogations, it should carefully document the legitimacy thereof.
d. If not, check whether the recipient qualifies either as controller or processor, and whether it is possible to transition to another data transfer instrument, such as the relevant SCCs. If so, amend the relevant contracts and documentation, including the internal register of processing activities. See also further below on the (verification and additional measures) actions in relation to SCCs.
e. If that is (also) not possible, the transfer/processing operation should be suspended/stopped and the agreement with the recipient terminated. The personal data will need to be returned by the data importer to the data exporter (or deleted). Check in such case whether you can recover costs from the other party.
4. Transfers to the US based on SCCs (also relevant for BCRs):
a. If the transfer is to the US, including if the processing in the EEA is linked to or uses a US recipient:
i. Check whether the transfer is still necessary or whether the processing can be switched to the EEA (cost effectively).
ii. If not, verify whether the US recipient falls under FISA 702/EO 12.333. It applies to electronic communication service providers, such as Amazon and Microsoft. It may be recommendable to check verify this with the US recipient.
iii. If yes, check whether in the individual case sufficient additional measures have been taken or can be taken to prevent mass surveillance by US authorities, together with the US recipient. These measures can be of contractual and technical nature, such as encryption in transit and rest, and obligations imposed on the EU subsidiary of the US recipient ensuring that there is no access possible by such US recipient to the personal data.
iv. If not, verify whether the US recipient has taken sufficient technical measures to prevent mass surveillance in transit, or have the US recipient implement such measures.
v. If all of the above is not possible, the transfer should be suspended/stopped, and the agreement, including SCC, terminated. The personal data will need to be returned by the data importer to the data exporter (or deleted). In any case, it is recommendable to check whether the costs thereof can be recovered.
b. If the transfer is to a third country other than the US:
i. Verify whether the level of protection in the destination country is essentially equivalent to that provided under EU law, together with the recipient if needed. Relevant elements for this assessment are factors such as whether the (mass) surveillance in the third country is limited to what is necessary and proportional based on clear and precise rules, there is an independent (judicial) oversight mechanism to the use of such powers, and all data subjects have effective (judicial) remedies available to them. If yes, these are equivalent safeguard, this assessment should be properly documented.
ii. If not, check whether additional measures should be taken in addition to the SCCs and, if so, implement such measures. These additional measures can range from additional contractual measures to technical measures, such as encryption in transit and rest, or moving the processing to the EEA. The additional measures should be properly documented, also in view of your accountability obligation. The FAQ of the European Data Protection Board have clarified that the measures to be taken should be assessed on a case-by-case basis.
iii. If additional measures are still insufficient, the transfer should be suspended/stopped, and the SCCs terminated. The personal data will need to be returned by the data importer to the data exporter (or deleted). In any case, it is recommendable to check whether the costs can be recovered from the other party.
5. Transfers based on adequacy decisions of the European Commission: keep monitoring the periodic evaluation and updates to these decisions by the European Commission. These instruments are still valid, and transfers based thereon are not unlawful, until the adequacy decision for a certain third country is retracted by the European Commission or invalidated by the Court.
Keep in touch
Please note that this document is an updated version of our news alert of 22 July 2020, and may be updated based on expected guidance from the European Data Protection Board (EDPB) and other on-going developments.